GHSA-4r9c-jghc-cx5m

Suggest an improvement
Source
https://github.com/advisories/GHSA-4r9c-jghc-cx5m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-4r9c-jghc-cx5m/GHSA-4r9c-jghc-cx5m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4r9c-jghc-cx5m
Aliases
Published
2021-11-10T16:45:34Z
Modified
2023-11-01T04:54:49.951948Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting in apostrophe
Details

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

Database specific 
{
    "nvd_published_at": "2021-11-07T18:15:00Z",
    "github_reviewed_at": "2021-11-08T21:26:37Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

npm / apostrophe

Package

Name
apostrophe
View open source insights on deps.dev
Purl
pkg:npm/apostrophe

Affected ranges

Type
SEMVER
Events
Introduced
2.63.0
Fixed
3.4.0